From f8c91b3c5f078017e1ba2fce3852862efde84e42 Mon Sep 17 00:00:00 2001
From: asklee-klawd <105007315+asklee-klawd@users.noreply.github.com>
Date: Thu, 12 Feb 2026 14:45:38 +0100
Subject: [PATCH] fix: prevent undefined token in gateway auth config (#13809)

- Guard against undefined/empty token in buildGatewayAuthConfig
- Automatically generate random token when token param is undefined, empty, or whitespace
- Prevents JSON.stringify from writing literal string "undefined" to config
- Add tests for undefined, empty, and whitespace token cases

Fixes #13756

Co-authored-by: Klawd Asklee <klawdebot@gmail.com>
---
 src/commands/configure.gateway-auth.test.ts | 39 +++++++++++++++++++++
 src/commands/configure.gateway-auth.ts      |  5 ++-
 2 files changed, 43 insertions(+), 1 deletion(-)

diff --git a/src/commands/configure.gateway-auth.test.ts b/src/commands/configure.gateway-auth.test.ts
index 50c6635778e..be7fe347a53 100644
--- a/src/commands/configure.gateway-auth.test.ts
+++ b/src/commands/configure.gateway-auth.test.ts
@@ -43,4 +43,43 @@ describe("buildGatewayAuthConfig", () => {
 
     expect(result).toEqual({ mode: "password", password: "secret" });
   });
+
+  it("generates random token when token param is undefined", () => {
+    const result = buildGatewayAuthConfig({
+      mode: "token",
+      token: undefined,
+    });
+
+    expect(result?.mode).toBe("token");
+    expect(result?.token).toBeDefined();
+    expect(result?.token).not.toBe("undefined");
+    expect(typeof result?.token).toBe("string");
+    expect(result?.token?.length).toBeGreaterThan(0);
+  });
+
+  it("generates random token when token param is empty string", () => {
+    const result = buildGatewayAuthConfig({
+      mode: "token",
+      token: "",
+    });
+
+    expect(result?.mode).toBe("token");
+    expect(result?.token).toBeDefined();
+    expect(result?.token).not.toBe("undefined");
+    expect(typeof result?.token).toBe("string");
+    expect(result?.token?.length).toBeGreaterThan(0);
+  });
+
+  it("generates random token when token param is whitespace only", () => {
+    const result = buildGatewayAuthConfig({
+      mode: "token",
+      token: "   ",
+    });
+
+    expect(result?.mode).toBe("token");
+    expect(result?.token).toBeDefined();
+    expect(result?.token).not.toBe("undefined");
+    expect(typeof result?.token).toBe("string");
+    expect(result?.token?.length).toBeGreaterThan(0);
+  });
 });
diff --git a/src/commands/configure.gateway-auth.ts b/src/commands/configure.gateway-auth.ts
index 0296c512922..396e0925746 100644
--- a/src/commands/configure.gateway-auth.ts
+++ b/src/commands/configure.gateway-auth.ts
@@ -12,6 +12,7 @@ import {
   promptModelAllowlist,
 } from "./model-picker.js";
 import { promptCustomApiConfig } from "./onboard-custom.js";
+import { randomToken } from "./onboard-helpers.js";
 
 type GatewayAuthChoice = "token" | "password";
 
@@ -35,7 +36,9 @@ export function buildGatewayAuthConfig(params: {
   }
 
   if (params.mode === "token") {
-    return { ...base, mode: "token", token: params.token };
+    // Guard against undefined/empty token to prevent JSON.stringify from writing the string "undefined"
+    const safeToken = params.token?.trim() || randomToken();
+    return { ...base, mode: "token", token: safeToken };
   }
   return { ...base, mode: "password", password: params.password };
 }